summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorPhil Pennock <pdp@exim.org>2012-05-04 04:39:01 -0700
committerPhil Pennock <pdp@exim.org>2012-05-04 04:39:01 -0700
commit7be682ca5ebd9571a01b762195b11c34cd231830 (patch)
treea7c2ddde30095369d705a32131be71d6e6cc5091 /doc
parentfb2bba55d3916ab1d515f1a060f19009daf447ed (diff)
TLS SNI support for OpenSSL ($tls_sni)
Diffstat (limited to 'doc')
-rw-r--r--doc/doc-docbook/spec.xfpt18
-rw-r--r--doc/doc-txt/ChangeLog3
-rw-r--r--doc/doc-txt/NewStuff7
3 files changed, 28 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 016f3f075..32e24ca80 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -11888,6 +11888,24 @@ the value of the Distinguished Name of the certificate is made available in the
value is retained during message delivery, except during outbound SMTP
deliveries.
+.new
+.vitem &$tls_sni$&
+.vindex "&$tls_sni$&"
+.cindex "TLS" "Server Name Indication"
+When a TLS session is being established, if the client sends the Server
+Name Indication extension, the value will be placed in this variable.
+If the variable appears in &%tls_certificate%& then this option and
+&%tls_privatekey%& will be re-expanded early in the TLS session, to permit
+a different certificate to be presented (and optionally a different key to be
+used) to the client, based upon the value of the SNI extension.
+
+The value will be retained for the lifetime of the message, and not changed
+during outbound SMTP.
+
+This is currently only available when using OpenSSL, built with support for
+SNI.
+.wen
+
.vitem &$tod_bsdinbox$&
.vindex "&$tod_bsdinbox$&"
The time of day and the date, in the format required for BSD-style mailbox
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index a491cf973..4ad79c28e 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -73,6 +73,9 @@ PP/16 Removed "dont_insert_empty_fragments" fron "openssl_options".
Removed SSL_clear() after SSL_new() which led to protocol negotiation
failures. We appear to now support TLS1.1+ with Exim.
+PP/17 OpenSSL: new expansion var $tls_sni, which if used in tls_certificate
+ lets Exim select keys and certificates based upon TLS SNI from client.
+
Exim version 4.77
-----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 0aee33cec..b788b45dc 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -42,6 +42,13 @@ Version 4.78
administrators can choose to make the trade-off themselves and restore
compatibility at the cost of session security.
+ 7. Use of the new expansion variable $tls_sni in the main configuration option
+ tls_certificate will cause Exim to re-expand the option, if the client
+ sends the TLS Server Name Indication extension, to permit choosing a
+ different certificate; tls_privatekey will also be re-expanded. You must
+ still set these options to expand to valid files when $tls_sni is not set.
+ Currently OpenSSL only.
+
Version 4.77
------------